Mastering the LDAP search filter, Part 2

LDIFDE is a powerful command line tool that with a little practice, can easily extract specific information about AD objects. Expert Gary Olsen explains how to limit your search by way of an object class LDAP filter.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

We left off discussing how we can limit our search by way of an object class LDAP filter. The example below shows the use of the –r option to specify only to return user objects.

We also discussed briefly that you can find these object classes by looking at the list of schema classes using the Schema Manager or the ADSIedit snap-ins. Figure 1 shows a screen shot of the Schema Manager and how the classes are listed. Thus, we could specify any of these object classes in the objectClass filter. Note that we could filter on site since "Site" is an object class. However, just plugging in "site" in the previous command will fail:

This is due to the fact that the DN of the search is in the domain context and the site object is in the Configuration. This is easily seen in Figure 2 where the ADSIedit tool displays the DN of the site object as cn=sites,cn=Configuration,dc=corp,dc=net.

Figure 2

So reformatting our ldifde command using the proper DN would produce the desired result:

For this reason, I prefer ADSIedit to find the object classes as it will also display the DN path to the object.

Now we can get a list of Users or computers rather than dumping the whole AD. That's an improvement, but what if we want all the users whose last name begins with the letter "J"? In order to do this we need a complex filter, specifying not only to return user objects, but further filtering the search to include those whose surnames begin with "J". The complex filter uses And, Or and Not constructs. The format of the filter is:

Note that the operand comes at the beginning of the expression, and that "filter1" is a broader filter while "filter2" is a finer one. Consider the following filter to find all the user objects whose last names start with "L", in the OU "Domain Administrators". The attribute for last name, or surname is "sn".

So now we have limited the search to find only users in the Domain Administrators OU whose surnames (sn attribute) start with "L". However, note that this still returns all defined attributes for each object:

We aren't interested in all those boring attributes -- we just want to list the displayName of each user along with the city and state they are in. To restrict the output to only certain attributes, use the –l filter. The trick to this is to know the syntax of the attributes you want. Again we can turn to the ADSIedit tool as shown in Figure 3.

Figure 3

Here I looked at the properties of a user who had the attributes defined that I wanted to define. For instance I know that the Gary Olsen user is defined in the city of Alpharetta and the state of Georgia (GA). Thus in ADSIedit, I see that "l" refers to city (actual location) and "st" refers to the state. Of course displayName is obvious. Note that these are standard LDAP attribute names, not something Microsoft made up. Now, armed with the attribute names we want, we can formulate the command:

Note that each entry lists the distinguishedName as well as the "changetype" attribute. The rest of the entries are what we specified. Also note that Jason Lane only lists the "l" (city) attribute since Adelaide is in Australia, thus the state (st) attribute is not defined. Undefined attributes are not defined. In fact, only Tony has city and state defined. The others have no city or state listed since they are not defined.

Ldifde is a powerful command line tool that can easily extract specific information about AD objects. It does take a little work but using the examples given in these articles, you can formulate commands to get your desired results. This is very useful in troubleshooting problems where you need to determine the value of certain attributes on a number of objects. Rather that opening up a tool like LDP or ADSIedit and then drilling into each object to observe the attribute values, you can dump the desired attributes and objects to a text file. This is great for technical support personnel as they can give the customer a simple command, generating a small file that can be easily emailed and evaluated. Taking a little time to practice these commands will make them second nature to you.

0 comments

E-Mail

Username / Password

Password

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy